Internet Security Systems (ISS) today issued an advisory concerning the tool, dubbed "Trinity v3," which was discovered during an investigation of attacks on two educational institutions. ISS declined to name the victims.
Trinity v3 joins Trinoo, TFN2K, Stacheldraht, Shaft and other programs made to launch "distributed-denial-of-service" (DDoS) attacks. In a DDoS attack, a programmer secretly embeds software into hundreds or thousands of computers. At a designated command or time, infected host computers send messages to a target computer. The volume of messages arriving over the Internet effectively knocks out the target server, making the Web site inaccessible to other Net surfers.
DDoS attacks jumped to prominence earlier this year when variations of the attack were blamed for temporarily bringing down Web sites of major Internet companies, including Yahoo and Amazon.com.
ISS security consultant Chris Rouland said Trinity has new features that make it potentially more dangerous than other known DDoS strains. For example, he said he is unaware of any other DDoS tool that uses Internet relay chat (IRC) for its delivery system. IRC allows Net users to communicate in real time by joining channels hosted on one or more computers, using a password.
Most significantly, Rouland said, Trinity poses a major new problem by making the attack commands available to anyone on IRC who has a password to access the hosting channel.
"In our copy of Trinity, it joins the IRC channel #b3eblebr0x using a special key," ISS wrote in its advisory. "Once it's in the channel, the agent will wait for commands. Commands can be sent to individual Trinity agents or sent to the channel, and all agents will process the command."
IRC offers several other advantages for delivering an attack of this kind, Rouland said, pointing to three major benefits: It affords a high degree of anonymity; it is difficult to detect; and it provides a strong, guaranteed delivery system.
Michael Hornin, a security consultant with the University of Washington, said he had not heard of Trinity v3. But he agreed that the technique of harnessing IRC could pose new problems for companies seeking to guard against DDoS attacks.
"In the past year DDoS tools have really come into the limelight, and the people who write this kind of software are constantly looking for ways to make it better," he said. "This is another example of that. Writing software that launches from IRC makes it vastly more powerful by making it available to anyone" with the key.
According to Rouland, more than 400 computer systems have been infected with the new Trinity v3 attack tool, turning them into potential drones for future attacks.
"That's enough to bring down almost any system," he said.